Description
OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can flood the webhook endpoint with concurrent requests before signature verification to exhaust resources and degrade service availability.
Published: 2026-04-23
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply patch
AI Analysis

Impact

OpenClaw versions older than 2026.3.31 contain a concurrency control flaw in the public LINE webhook handler. The missing shared pre‑authentication concurrency budget allows an attacker to send a high volume of concurrent requests before the webhook’s signature verification step occurs, depleting the application’s ability to process legitimate messages. This flaw is a classic resource exhaustion vulnerability (CWE‑799) and results in transient availability loss for the affected service.

Affected Systems

The vulnerability affects any OpenClaw installation running a version prior to 2026.3.31. The exposed surface is the LINE webhook endpoint, an unprotected public URL that accepts HTTP requests without prior authentication. Any deployment of the affected OpenClaw product that exposes this endpoint to the internet is therefore susceptible.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. The EPSS score of less than 1 % suggests that the likelihood of automated exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by flooding the webhook endpoint with concurrent requests without requiring any credentials. Successful exploitation results in denial of service, disrupting all upstream services that rely on the LINE webhook. No elevation or data theft is possible; the impact is limited to availability.

Generated by OpenCVE AI on April 28, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw 2026.3.31 or later, which implements a shared pre‑authentication concurrency budget.
  • Configure external rate limiting or concurrency controls on the LINE webhook endpoint (e.g., API gateway, nginx limit_req_zone) to cap the number of simultaneous requests.
  • Restrict the webhook endpoint to trusted IP addresses or networks, and monitor traffic for sudden spikes that indicate a potential resource exhaustion attack.

Generated by OpenCVE AI on April 28, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qcc3-jqwp-5vh2 OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification
History

Fri, 24 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can flood the webhook endpoint with concurrent requests before signature verification to exhaust resources and degrade service availability.
Title OpenClaw < 2026.3.31 - Denial of Service via LINE Webhook Handler Pre-Auth Concurrency
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-799
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-24T14:32:21.869Z

Reserved: 2026-04-20T14:05:09.184Z

Link: CVE-2026-41343

cve-icon Vulnrichment

Updated: 2026-04-24T14:31:23.355Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T22:16:40.803

Modified: 2026-04-28T18:56:20.397

Link: CVE-2026-41343

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:45:16Z

Weaknesses